I am doing a security aseesmment on communication security of a legacy IoT Device. So basically objective is to assess and find security gaps in curreny design/implementation. The mode of assessment is manual, primarily with the reference of existing design and code. This is only client side at device; while server is a cloud based server. The device is using a GSM module (SIMCom SIM900) and makes HTTPS communication to server over internet using GSM AT commands.
Based on my understanding on SSL/TLS, I am considering below parameters or criterias for this assessment:
a. TLS portocol version
b. Cipher suites used
c. certificate and key management
d. Root CAs installed on device
e. Embedded PKI aspect for device identity management
f. Hardware crypto aspect (SHE/TPM)
Am I doing it in a right way? Though I think above list of parameters are not specific to Device HW/SW platform; rather generic. but I guess that’s how it should be! I mean parameter list will be pretty much same; however actual assessment on these will depend on security requirements and other aspects like device footprint & its platform etc.
Is the assessment parameter list I am considering is good and adequate? I would appreciate your inputs to validate/correct my approach.